/* the author and owner of this blog hereby allows anyone to test the security of this blog (on HTTP level only, the server is not mine, so let's leave it alone ;>), and try to break in (including successful breaks) without any consequences of any kind (DoS attacks are an exception here) ... I'll add that I planted in some places funny photos of some kittens, there are 7 of them right now, so have fun looking for them ;> let me know if You find them all, I'll add some congratz message or sth ;> */

Seems a new version - 0.8.2 - of cr-gpg (the GPG browser extension for Gmail for Chrome) was released today, so a brief note on a few bugs I reported in late August.

The cr-gpg extension for Chrome/Gmail consists of a couple of html/js files + a native .dll/.so/.dylib that basically was an interface for calling the console command gpg (in old version), or for GPGME (current/new version).

So I guess "calling the console command" spoils the surprise - yes, a few of these bugs were shell injections in various places. The most interesting one was the recipient e-mail address in case of replying to an e-mail and encrypting it - you can set the Reply-To: field to anything of course - kudos to Tavis for this idea (my ideas were a MITM scenario with http://mail.google.com - see other bugs; or an XSS on said site invoking the plugin).E.g.: Reply-To: `echo${IFS}blabla`@gmail.com. See also some pictures below (click to zoom).

The rest of the bugs were:* While encrypting an e-mail, the /tmp/outputMessage.txt had -rw-rw-r-- rights. Please remember, that it's encrypted; the only thing it could be used for is learning who is the e-mail to, in case the attacker/sniffer can match the key ID. So this was a minor privacy issue at most.* The manifest allowed http://mail.google.com/ to use cr-gpg. This might aid an attacker in a MITM scenario (MITM → redirect any page to http://... → JS → shell exec).* (Discovered later): XSS in message body (well, you decrypt the message and u get XSSed; kinda bad).

Anyways, this all is fixed now in 0.8.2 (it's still considered to be alpha btw).

The authors were really responsive and fixed the issues fast. Kudos for that :)

Two more things:1. The authors were working on GPGME version of cr-gpg at the time of report anyways, so the shell injections would be fixed even without me reporting this.2. Funny story - Krzysztof Kotowicz (Hi ;>) discovered and reported the shell injections and XSS c.a. at the same time. He also showed these bugs today on a conference in Belgium.

Changed in 0.8.2 :Fixed a number of security issues reported by both Gynvael Coldwind (http://gynvael.coldwind.pl/) and Krzysztof Kotowicz (http://blog.kotowicz.net/)[...]So if you're testing this (still alpha), be sure to update.